Privacy Policy

1. Introduction

Docfarm (“we”, “us”, or “our”) operates the file hosting and distribution platform available at doc.farm (the “Platform”). We take your privacy seriously and are committed to handling your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Dutch law.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have. It applies to all users of the Platform, including account holders and anonymous viewers.

Please read this policy carefully. If you have any questions, contact us at hello@doc.farm.

2. Data Controller

The data controller responsible for your personal data is:

Docfarm

Capital C, Weesperplein 4B, 1018 XA Amsterdam, The Netherlands

Email: hello@doc.farm

3. Who Can Use Docfarm

Docfarm is intended for users who are 16 years of age or older. By using the Platform, you confirm that you meet this age requirement. We do not knowingly collect personal data from individuals under 16. If we become aware that a user is under 16, we will promptly delete their data.

4. What Personal Data We Collect

4.1 Account Holders

When you create an account, we collect:

• First name and last name
• Email address
• Avatar URL (auto-populated if you sign in with Google OAuth)
• Account creation timestamp and last sign-in timestamp
• Per-account preferences such as notification settings, AI tone-of-voice preferences, and default sharing settings

4.2 Document Data

When you upload or manage documents on the Platform, we process:

• The file itself (PDF or HTML format), along with its title, page count, and MIME type
• AI-generated summaries, outlines, and tags associated with your documents
• Per-document settings including password protection, email gating, chat permissions, tracking preferences, and custom domain configurations
• Collaborator information: invited email addresses, assigned roles, and invitation and acceptance timestamps

4.3 Share Links

When you create or share links to documents, we store:

• The unique link slug
• Access mode (open, password-protected, email-restricted, or domain-restricted)
• Expiry dates, allowed domains or email addresses
• Hashed passwords (using bcrypt) and link recipients

4.4 Viewer Data

When someone views a document shared via the Platform, we collect the following data per viewing session:

• A random viewer fingerprint ID stored in the viewer’s browser (per device)
• Viewer email address — only when the email gate is enabled or the viewer is a signed-in Docfarm user
• A hashed IP address (SHA-256 with a server-side salt; only the first 16 characters are stored and the raw IP address is never persisted)
• Referrer URL, user-agent string, device type (desktop or mobile), and approximate location (country and city) derived from request headers
• Session start and end times, total active and idle duration, and pages viewed
• An indicator of whether the session appears to have been forwarded from another viewer

4.5 Page-Level Interaction Events

During a viewing session, we collect granular interaction data including:

• The page number viewed
• Event type (such as page view or scroll)
• Active and idle time per page
• Timestamps of each event

4.6 AI Chat Data

Docfarm offers AI-powered chat features. We store:

• Owner-facing chat messages (questions and assistant responses) per document
• Viewer-facing AI chat conversations and messages
• Viewer questions submitted through the chat interface

4.7 Application Events

For account holders using the Docfarm application, we collect events such as app loads, document opens, uploads, share link interactions, and chat messages sent. We also store feedback entries, waitlist entries, AI drafts and actions, and aggregated link analytics.

5. How We Use Your Data

We use the personal data we collect for the following purposes:

Contract Performance (Article 6(1)(b) GDPR)

• To provide, maintain, and operate the Platform and its features
• To authenticate users and manage accounts
• To enable document sharing, collaboration, and viewing functionality
• To process and fulfill requests you make through the Platform

Legitimate Interests (Article 6(1)(f) GDPR)

• To monitor and analyse Platform usage and performance
• To detect, prevent, and investigate abuse, fraud, or violations of our Terms of Service
• To improve and develop new features of the Platform
• To maintain security and integrity of the Platform

Consent (Article 6(1)(a) GDPR)

• To send you marketing communications and product updates (you can withdraw consent at any time)
• To place non-essential cookies or similar tracking technologies where required by law

Legal Obligation (Article 6(1)(c) GDPR)

• To comply with applicable laws, regulations, and lawful requests from authorities

6. Cookies and Similar Technologies

6.1 What We Use

Docfarm uses cookies and similar browser-based technologies to operate the Platform. Specifically:

• Session cookies: required to keep you logged in and maintain your session state while using the Platform
• Viewer fingerprint: a randomly generated identifier stored in your browser, used per device to track viewing sessions for analytics. This is not linked to your identity unless you are a signed-in user or have provided your email via an email gate

6.2 Cookieless Mode

Document owners have the option to enable a cookieless mode for specific documents. When this setting is active, the viewer fingerprint and associated tracking are disabled for viewers of that document.

6.3 Third-Party Cookies

We do not use third-party advertising or analytics cookies. However, if you choose to sign in using Google OAuth, Google may set its own cookies as part of the authentication process. Please refer to Google’s Privacy Policy for more information.

6.4 Managing Cookies

You can control and manage cookies through your browser settings. Please note that disabling essential session cookies may prevent you from using certain features of the Platform. Refusing non-essential cookies will not affect your ability to use core functionality.

7. Data Sharing and Third-Party Processors

We do not sell your personal data. We share data only with the following categories of third parties, and only to the extent necessary for the relevant purpose:

Supabase (Database, Authentication, and Storage)

Our database, authentication, and object storage infrastructure is hosted by Supabase on AWS eu-west-1 (Ireland). Supabase processes the majority of your personal data on our behalf as a data processor under a Data Processing Agreement.

Vercel (Hosting and Compute)

Our application runs on Vercel’s platform. Serverless functions run in the US-East region (Washington DC). Static assets are served from Vercel’s global edge network. Vercel processes request metadata including hashed IP addresses and user-agent strings.

Anthropic (AI Processing)

AI features (including document summaries, tags, and chat) are powered by Anthropic’s Claude API, based in the United States. Document content and user prompts are sent to Anthropic only to fulfil AI functionality. Anthropic receives the minimum data necessary for this purpose.

Resend (Transactional Email)

Transactional emails (such as account confirmations and notifications) are sent via Resend, based in the United States. Resend receives your email address and the relevant email content.

Google (OAuth Authentication)

If you choose to sign in with Google, Google receives a sign-in token and provides your name, email address, and avatar URL. This is governed by Google’s own privacy policy.

International Data Transfers

Some of our third-party processors are based in the United States. Where data is transferred outside the European Economic Area, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) to ensure your data remains protected.

7.1 Other Disclosures

Beyond the processors listed above, we may share your personal data with third parties in the following circumstances:

• Where required by applicable law or a binding legal request from a competent authority
• To protect the rights, property, or safety of Docfarm, our users, or others
• In connection with a merger, acquisition, or sale of all or part of our business, provided that the recipient is bound by equivalent data protection obligations

8. Data Retention

We retain your personal data only for as long as necessary for the purposes set out in this policy:

• Account data: retained for as long as your account remains active. Upon account deletion, all associated data is permanently and immediately removed from our systems
• Viewer session data and document analytics: retained for as long as the associated document and share link are live on the Platform
• Server logs and infrastructure logs: retained for as long as the relevant services are operational
• AI chat messages: retained in association with the relevant document until the document or account is deleted

You may request deletion of your data at any time by contacting us at hello@doc.farm or by deleting your account through the Platform settings.

9. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

• Right of access: you may request a copy of the personal data we hold about you
• Right to rectification: you may ask us to correct inaccurate or incomplete data
• Right to erasure: you may ask us to delete your personal data, subject to certain legal exceptions
• Right to restriction of processing: you may ask us to limit how we use your data in certain circumstances
• Right to data portability: you may request your data in a structured, machine-readable format
• Right to object: you may object to processing based on legitimate interests or for direct marketing purposes
• Right to withdraw consent: where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at hello@doc.farm. We will respond within one month of receiving your request. If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at www.autoriteitpersoonsgegevens.nl.

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These include:

• Bcrypt hashing for all stored passwords
• SHA-256 hashing with a server-side salt for IP addresses (raw IPs are never persisted)
• Encryption in transit (HTTPS) for all data exchanged with the Platform
• Access controls limiting data access to authorised personnel and processors only

No system is completely secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay as required by the GDPR.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this document and, where the changes are material, notify you by email or by a prominent notice on the Platform. We encourage you to review this policy periodically.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Docfarm

Email: hello@doc.farm

Website: doc.farm

Registered address: Capital C, Weesperplein 4B, 1018 XA Amsterdam, The Netherlands